Re: concrete steps for improving apt downloading security and privacy

[Paul Wise <pabs@debian.org>]

On Fri, Sep 19, 2014 at 9:30 AM, Hans-Christoph Steiner wrote:

> Finally did this:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762153

Please note that you proposal to add signatures to .deb files will
break reproducible builds because the hash of the .deb will differ
depending on who signed it:

https://wiki.debian.org/ReproducibleBuilds

I think it would be far better to ship detached signatures in the
archive since that allows for reproducible builds and also means there
could be more than one signer (say one buildd, one Debian sponsor and
one package maintainer).

-- 
bye,
pabs

https://wiki.debian.org/PaulWise